Separating cybersecurity hype from reality

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.mcall.com/opinion/national/sns-201408051300--tms--amvoicesctnav-b20140805-20140805,0,5334018.column

The big players in the global information-security industry are
intermingling with computer hackers this week at the annual Black Hat
conference in Las Vegas. Even Chris Inglis, who stepped down as the deputy
director of the National Security Agency earlier this year, is scheduled to
attend the conference in his new capacity as an advisor to the American
security-intelligence company Securonix. The purpose of the event is to
reveal and discuss new threats and research in the field of cybersecurity.

So, why should you care?

Computers now affect every aspect of our lives, from transportation to
banking to health care to transactions. We typically don't think much about
it until there's a problem. For example, the automated commuter train we
take to work every morning breaks down, or our credit card numbers are
stolen from a store's database and published online, or the payment
terminal at a store malfunctions and we're momentarily shocked at having to
pay for a purchase in a more prehistoric way.


The phenomenon of technological ubiquity isn't even specific to the
developed world anymore. Last week, Reuters quoted a Senegalese man on
using his mobile phone for payments: "It is like having cash on you but
safer because you don't have to carry the actual money on you all the time."

Couple this rapid technological expansion with the propensity of Middle
Eastern and African banks not to disclose cyber attacks, and cyber
attackers have a huge new market to exploit.

According to a new report by Palo Alto Networks, Nigerian email scammers
have upped their game, moving on from soliciting bank account information
from their targets to "spear phishing." This tactic uses a ruse to get the
target to click on a link or open a document in an email, resulting in a
code being installed on the target's computer that grants the scammer
covert access to the target's computer and network.

The more we know about technology, the more we should see vulnerabilities
rather than simply assume safety, as many of us do. Some of these
vulnerabilities are due to the fact that government intelligence services
themselves have installed backdoor access in their cryptographic protocols,
which are then used by everyone in private industry. It's one thing to
build in backdoor access for intelligence purposes, but this assumes that
U.S. intelligence agencies are the only ones in the world smart enough to
find and use the back door.

The flip side of technological complacency is that average users are prone
to getting spooked by either an attack or the mass publicity around one.
They tend to overreact and start seeing cyber-bogeymen everywhere. It's
easy for paranoia to flood in and fill a knowledge vacuum.

In much the same way that the military-industrial complex thrives on the
fear of war, the IT-industrial complex benefits from public paranoia. Few
information-security professionals publicly shrug off some of the obvious
smoke and mirrors, such as the recent denial-of-service attacks on some
Israeli government websites by the hacktivist group Anonymous -- including
the public-facing website of Israel's foreign intelligence service, Mossad
-- at a time when the conflict in Gaza has reignited. If Anonymous wanted
to pose a legitimate threat, it would be hacking Israel's Iron Dome
missile-defense system rather than blocking the e-driveway to a few
websites.

A much-hyped Black Hat presentation this week by a cybersecurity researcher
will reportedly reveal how vulnerabilities in an airplane's wireless
Internet or entertainment system can compromise its aviation equipment. But
both the equipment manufacturer and the researcher himself have questioned
the practical feasibility of the risk.

There's a fine but critical line in all of this, with the
information-security industry getting together to assess threats and risk,
and the subsequent possibility of the general public being spooked by
potential threats that it can't fully understand because of technical
complexities.

To ascertain the true degree of risk and paint a clear picture of what a
"Cyber 9/11" attack would look like, it would be valuable for an event like
Black Hat to host an expert-designed, "force-on-force" war game, with top
cybersecurity experts facing off against the world's best hackers. Let's
find out how much hysteria is warranted for a worst-case cyber-Armageddon.

The information-security industry should also partner with political-risk
specialists to gain a broader understanding of who the attackers are, what
they are after based on system resources they have previously targeted, and
where the government and the private sector should be focusing their
cybersecurity resources.

Where there's political unrest, there's cybersecurity risk. It's a logical
extension of geopolitical competition. And it's critical to keep it all in
perspective.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!